Using Wireshark to View Protocol Data Units (2.6.2.1)

Upon completion of this lab, you will be able to do the following:

■ Explain the purpose of a protocol analyzer (Wireshark). ■ Perform basic PDU capture using Wireshark.

■ Perform basic PDU analysis on straightforward network data traffic.

■ Experiment with Wireshark features and options such as PDU capture and display filtering.

Background

Wireshark is a software protocol analyzer, or “packet sniffer” application, used for network trou- bleshooting, analysis, software and protocol development, and education. Before June 2006, Wireshark was known as Ethereal.

A packet sniffer (also known as a network analyzer or protocol analyzer) is computer software that can intercept and log data traffic passing over a data network. As data streams travel back and forth over the network, the sniffer “captures” each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or other specifications.

Wireshark is programmed to recognize the structure of different network protocols. This enables it to display the encapsulation and individual fields of a PDU and interpret their meaning.

It is a useful tool for anyone working with networks and can be used with most labs in the CCNA courses for data analysis and troubleshooting. For information and to download the program, go to http://www.Wireshark.org.

Scenario

To capture PDUs, the computer on which Wireshark is installed must have a working connection to the network, and Wireshark must be running before any data can be captured.

When Wireshark is launched, the screen shown in Figure 2-10 displays.

To start data capture, select Options from the Capture menu.

The Capture Options dialog box, shown in Figure 2-11, provides a range of settings and filters to determine which and how much data traffic is captured.

Figure 2-11 Wireshark: Capture Options Dialog Box

First, you must ensure that Wireshark is set to monitor the correct interface. From the Interface drop- down list, select the network adapter in use. Typically, for a computer this is the connected Ethernet adapter.

Then, you can set the other options. Among those available in the Capture Options dialog box, the two highlighted in Figure 2-12 deserve examination.

If the Capture packets in promiscuous mode feature is not checked, only PDUs destined for this com- puter will be captured. If this feature is checked, all PDUs destined for this computer and all those detected by the computer NIC on the same network segment (that is, those that “pass by” the NIC but are not destined for the computer) are captured.

Note: The capturing of these other PDUs depends on the intermediary device connecting the end-device comput- ers on this network. As you use different intermediary devices (hubs, switches, routers) throughout these courses, you will experience the different Wireshark results.

The Enable transport name resolution option allows you to control whether Wireshark translates net- work addresses found in PDUs into names. Although this is a useful feature, the name-resolution process might add extra PDUs to your captured data, perhaps distorting the analysis.

Wireshark also provides a number of other capture-filtering and capture-process settings.

Clicking the Start button starts the data-capture process, and a message box displays the progress of this process (as shown in Figure 2-13).

Figure 2-13 Wireshark Capture Start

As data PDUs are captured, the types and number are indicated in the message box.

The examples in Figure 2-14 show the capture of a ping process (box on left) and then accessing a web page (box on right).

Figure 2-14 Wireshark Capture Output

When the Stop button is clicked, the capture process is terminated and the main screen displays. This main display window of Wireshark has three panes, as shown in Figure 2-15.

Figure 2-15 Wireshark Capture Main Panes

The PDU (or packet) list pane at the top of Figure 2-15 displays a summary of each packet captured. By clicking packets in this pane, you control what displays in the other two panes. Each line in the packet list corresponds to one PDU or packet of the captured data. If you select a line in this pane, more details will display in the packet details pane and in the packet bytes pane. The example in Figure 2-15 shows the PDUs captured when the ping utility was used and http://www.Wireshark.org was accessed. Packet number one is selected in this pane.

The PDU (or packet) details pane in the middle of Figure 2-15 displays the packet selected in the packet list pane in more detail. The packet details pane shows the current packet (selected in the pack-

et list pane) in a more detailed form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet display in a tree form, which you can expand and collapse. The PDU (or packet) bytes pane at the bottom of Figure 2-15 displays the actual data (in hexadecimal form representing the actual binary) from the packet selected in the packet list pane, and highlights the field selected in the packet details pane. The packet bytes pane shows the data of the current packet (selected in the packet list pane) in what is known as hexdump style. In this lab, this pane is not exam- ined in detail. However, when a more in-depth analysis is required, you will find this displayed infor- mation useful for examining the binary values and content of PDUs.

You can save the information captured for the data PDUs in a file, and then open this file in Wireshark for later analysis without having to recapture the same data traffic. The information displayed when a capture file is opened is the same as the original capture.

When closing a data-capture screen or exiting Wireshark, a prompt asks whether you want to save the captured PDUs, as shown in Figure 2-16.

Figure 2-16 Wireshark Save Option

Clicking Continue without Saving closes the file and exits Wireshark without saving the captured data.